// SPDX-License-Identifier: GPL-2.0-or-later

  /* SCTP kernel implementation

   * (C) Copyright IBM Corp. 2001, 2004
   * Copyright (c) 1999-2000 Cisco, Inc.
   * Copyright (c) 1999-2001 Motorola, Inc.
   * Copyright (c) 2001-2002 Intel Corp.
   * Copyright (c) 2002      Nokia Corp.
   *

   * This is part of the SCTP Linux Kernel Implementation.

   *
   * These are the state functions for the state machine.
   *

   * Please send any bug reports or fixes you make to the
   * email address(es):

   *    lksctp developers <linux-sctp@vger.kernel.org>

   *

   * Written or modified by:
   *    La Monte H.P. Yarroll <piggy@acm.org>
   *    Karl Knutson          <karl@athena.chicago.il.us>
   *    Mathew Kotowsky       <kotowsky@sctp.org>
   *    Sridhar Samudrala     <samudrala@us.ibm.com>
   *    Jon Grimm             <jgrimm@us.ibm.com>
   *    Hui Huang 	    <hui.huang@nokia.com>
   *    Dajiang Zhang 	    <dajiang.zhang@nokia.com>
   *    Daisy Chang	    <daisyc@us.ibm.com>
   *    Ardelle Fan	    <ardelle.fan@intel.com>
   *    Ryan Layer	    <rmlayer@us.ibm.com>
   *    Kevin Gao		    <kevin.gao@intel.com>

   */

  #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt

  #include <linux/types.h>
  #include <linux/kernel.h>
  #include <linux/ip.h>
  #include <linux/ipv6.h>
  #include <linux/net.h>
  #include <linux/inet.h>

  #include <linux/slab.h>

  #include <net/sock.h>
  #include <net/inet_ecn.h>
  #include <linux/skbuff.h>
  #include <net/sctp/sctp.h>
  #include <net/sctp/sm.h>
  #include <net/sctp/structs.h>

  #define CREATE_TRACE_POINTS
  #include <trace/events/sctp.h>

  static struct sctp_packet *sctp_abort_pkt_new(
  					struct net *net,
  					const struct sctp_endpoint *ep,
  					const struct sctp_association *asoc,
  					struct sctp_chunk *chunk,
  					const void *payload, size_t paylen);

  static int sctp_eat_data(const struct sctp_association *asoc,
  			 struct sctp_chunk *chunk,

  			 struct sctp_cmd_seq *commands);

  static struct sctp_packet *sctp_ootb_pkt_new(
  					struct net *net,
  					const struct sctp_association *asoc,
  					const struct sctp_chunk *chunk);

  static void sctp_send_stale_cookie_err(struct net *net,
  				       const struct sctp_endpoint *ep,

  				       const struct sctp_association *asoc,
  				       const struct sctp_chunk *chunk,

  				       struct sctp_cmd_seq *commands,

  				       struct sctp_chunk *err_chunk);

  static enum sctp_disposition sctp_sf_do_5_2_6_stale(
  					struct net *net,
  					const struct sctp_endpoint *ep,
  					const struct sctp_association *asoc,
  					const union sctp_subtype type,
  					void *arg,
  					struct sctp_cmd_seq *commands);
  static enum sctp_disposition sctp_sf_shut_8_4_5(
  					struct net *net,
  					const struct sctp_endpoint *ep,
  					const struct sctp_association *asoc,
  					const union sctp_subtype type,
  					void *arg,
  					struct sctp_cmd_seq *commands);
  static enum sctp_disposition sctp_sf_tabort_8_4_8(
  					struct net *net,

  					const struct sctp_endpoint *ep,

  					const struct sctp_association *asoc,

  					const union sctp_subtype type,

  					void *arg,

  					struct sctp_cmd_seq *commands);

  static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk);

  static enum sctp_disposition sctp_stop_t1_and_abort(
  					struct net *net,
  					struct sctp_cmd_seq *commands,
  					__be16 error, int sk_err,
  					const struct sctp_association *asoc,
  					struct sctp_transport *transport);

  static enum sctp_disposition sctp_sf_abort_violation(
  					struct net *net,
  					const struct sctp_endpoint *ep,
  					const struct sctp_association *asoc,
  					void *arg,
  					struct sctp_cmd_seq *commands,
  					const __u8 *payload,
  					const size_t paylen);

  static enum sctp_disposition sctp_sf_violation_chunklen(
  					struct net *net,
  					const struct sctp_endpoint *ep,
  					const struct sctp_association *asoc,
  					const union sctp_subtype type,
  					void *arg,
  					struct sctp_cmd_seq *commands);

  static enum sctp_disposition sctp_sf_violation_paramlen(
  					struct net *net,
  					const struct sctp_endpoint *ep,
  					const struct sctp_association *asoc,
  					const union sctp_subtype type,
  					void *arg, void *ext,
  					struct sctp_cmd_seq *commands);

  static enum sctp_disposition sctp_sf_violation_ctsn(
  					struct net *net,
  					const struct sctp_endpoint *ep,
  					const struct sctp_association *asoc,
  					const union sctp_subtype type,
  					void *arg,
  					struct sctp_cmd_seq *commands);

  static enum sctp_disposition sctp_sf_violation_chunk(
  					struct net *net,
  					const struct sctp_endpoint *ep,
  					const struct sctp_association *asoc,
  					const union sctp_subtype type,
  					void *arg,
  					struct sctp_cmd_seq *commands);

  static enum sctp_ierror sctp_sf_authenticate(

  					const struct sctp_association *asoc,

  					struct sctp_chunk *chunk);

  static enum sctp_disposition __sctp_sf_do_9_1_abort(
  					struct net *net,

  					const struct sctp_endpoint *ep,

  					const struct sctp_association *asoc,

  					const union sctp_subtype type,

  					void *arg,

  					struct sctp_cmd_seq *commands);

  /* Small helper function that checks if the chunk length
   * is of the appropriate length.  The 'required_length' argument
   * is set to be the size of a specific chunk we are testing.

   * Return Values:  true  = Valid length
   * 		   false = Invalid length

   *
   */

  static inline bool sctp_chunk_length_valid(struct sctp_chunk *chunk,
  					   __u16 required_length)

  {
  	__u16 chunk_length = ntohs(chunk->chunk_hdr->length);

  	/* Previously already marked? */
  	if (unlikely(chunk->pdiscard))

  		return false;

  	if (unlikely(chunk_length < required_length))

  		return false;

  	return true;

  }

  /* Check for format error in an ABORT chunk */
  static inline bool sctp_err_chunk_valid(struct sctp_chunk *chunk)
  {
  	struct sctp_errhdr *err;
  
  	sctp_walk_errors(err, chunk->chunk_hdr);
  
  	return (void *)err == (void *)chunk->chunk_end;
  }

  /**********************************************************
   * These are the state functions for handling chunk events.
   **********************************************************/
  
  /*
   * Process the final SHUTDOWN COMPLETE.
   *
   * Section: 4 (C) (diagram), 9.2
   * Upon reception of the SHUTDOWN COMPLETE chunk the endpoint will verify
   * that it is in SHUTDOWN-ACK-SENT state, if it is not the chunk should be
   * discarded. If the endpoint is in the SHUTDOWN-ACK-SENT state the endpoint
   * should stop the T2-shutdown timer and remove all knowledge of the
   * association (and thus the association enters the CLOSED state).
   *

   * Verification Tag: 8.5.1(C), sctpimpguide 2.41.

   * C) Rules for packet carrying SHUTDOWN COMPLETE:
   * ...

   * - The receiver of a SHUTDOWN COMPLETE shall accept the packet
   *   if the Verification Tag field of the packet matches its own tag and
   *   the T bit is not set
   *   OR
   *   it is set to its peer's tag and the T bit is set in the Chunk
   *   Flags.
   *   Otherwise, the receiver MUST silently discard the packet
   *   and take no further action.  An endpoint MUST ignore the
   *   SHUTDOWN COMPLETE if it is not in the SHUTDOWN-ACK-SENT state.

   *
   * Inputs
   * (endpoint, asoc, chunk)
   *
   * Outputs
   * (asoc, reply_msg, msg_up, timers, counters)
   *
   * The return value is the disposition of the chunk.
   */

  enum sctp_disposition sctp_sf_do_4_C(struct net *net,
  				     const struct sctp_endpoint *ep,
  				     const struct sctp_association *asoc,
  				     const union sctp_subtype type,
  				     void *arg, struct sctp_cmd_seq *commands)

  {
  	struct sctp_chunk *chunk = arg;
  	struct sctp_ulpevent *ev;

  	if (!sctp_vtag_verify_either(chunk, asoc))

  		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);

  	/* RFC 2960 6.10 Bundling
  	 *
  	 * An endpoint MUST NOT bundle INIT, INIT ACK or
  	 * SHUTDOWN COMPLETE with any other chunks.
  	 */
  	if (!chunk->singleton)

  		return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands);

  	/* Make sure that the SHUTDOWN_COMPLETE chunk has a valid length. */

  	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))

  		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,

  						  commands);

  
  	/* RFC 2960 10.2 SCTP-to-ULP
  	 *
  	 * H) SHUTDOWN COMPLETE notification
  	 *
  	 * When SCTP completes the shutdown procedures (section 9.2) this
  	 * notification is passed to the upper layer.
  	 */
  	ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_SHUTDOWN_COMP,

  					     0, 0, 0, NULL, GFP_ATOMIC);

  	if (ev)
  		sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,

  				SCTP_ULPEVENT(ev));

  
  	/* Upon reception of the SHUTDOWN COMPLETE chunk the endpoint
  	 * will verify that it is in SHUTDOWN-ACK-SENT state, if it is
  	 * not the chunk should be discarded. If the endpoint is in
  	 * the SHUTDOWN-ACK-SENT state the endpoint should stop the
  	 * T2-shutdown timer and remove all knowledge of the
  	 * association (and thus the association enters the CLOSED
  	 * state).
  	 */
  	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
  			SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
  
  	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
  			SCTP_TO(SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD));
  
  	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
  			SCTP_STATE(SCTP_STATE_CLOSED));

  	SCTP_INC_STATS(net, SCTP_MIB_SHUTDOWNS);
  	SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);

  
  	sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
  
  	return SCTP_DISPOSITION_DELETE_TCB;

  }
  
  /*
   * Respond to a normal INIT chunk.
   * We are the side that is being asked for an association.
   *
   * Section: 5.1 Normal Establishment of an Association, B
   * B) "Z" shall respond immediately with an INIT ACK chunk.  The
   *    destination IP address of the INIT ACK MUST be set to the source
   *    IP address of the INIT to which this INIT ACK is responding.  In
   *    the response, besides filling in other parameters, "Z" must set the
   *    Verification Tag field to Tag_A, and also provide its own
   *    Verification Tag (Tag_Z) in the Initiate Tag field.
   *

   * Verification Tag: Must be 0.

   *
   * Inputs
   * (endpoint, asoc, chunk)
   *
   * Outputs
   * (asoc, reply_msg, msg_up, timers, counters)
   *
   * The return value is the disposition of the chunk.
   */

  enum sctp_disposition sctp_sf_do_5_1B_init(struct net *net,
  					   const struct sctp_endpoint *ep,
  					   const struct sctp_association *asoc,
  					   const union sctp_subtype type,
  					   void *arg,
  					   struct sctp_cmd_seq *commands)

  {

  	struct sctp_chunk *chunk = arg, *repl, *err_chunk;
  	struct sctp_unrecognized_param *unk_param;

  	struct sctp_association *new_asoc;

  	struct sctp_packet *packet;

  	int len;

  	/* Update socket peer label if first association. */
  	if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
  					chunk->skb))
  		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);

  	/* 6.10 Bundling
  	 * An endpoint MUST NOT bundle INIT, INIT ACK or
  	 * SHUTDOWN COMPLETE with any other chunks.

  	 *

  	 * IG Section 2.11.2
  	 * Furthermore, we require that the receiver of an INIT chunk MUST
  	 * enforce these rules by silently discarding an arriving packet
  	 * with an INIT chunk that is bundled with other chunks.
  	 */
  	if (!chunk->singleton)

  		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);

  
  	/* If the packet is an OOTB packet which is temporarily on the
  	 * control endpoint, respond with an ABORT.
  	 */

  	if (ep == sctp_sk(net->sctp.ctl_sock)->ep) {

  		SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);

  		return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);

  	}

  	/* 3.1 A packet containing an INIT chunk MUST have a zero Verification

  	 * Tag.

  	 */
  	if (chunk->sctp_hdr->vtag != 0)

  		return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);

  
  	/* Make sure that the INIT chunk has a valid length.
  	 * Normally, this would cause an ABORT with a Protocol Violation
  	 * error, but since we don't have an association, we'll
  	 * just discard the packet.
  	 */

  	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk)))

  		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);

  	/* If the INIT is coming toward a closing socket, we'll send back
  	 * and ABORT.  Essentially, this catches the race of INIT being
  	 * backloged to the socket at the same time as the user isses close().
  	 * Since the socket and all its associations are going away, we
  	 * can treat this OOTB
  	 */
  	if (sctp_sstate(ep->base.sk, CLOSING))

  		return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);

  	/* Verify the INIT chunk before processing it. */
  	err_chunk = NULL;

  	if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,

  			      (struct sctp_init_chunk *)chunk->chunk_hdr, chunk,

  			      &err_chunk)) {
  		/* This chunk contains fatal error. It is to be discarded.
  		 * Send an ABORT, with causes if there is any.
  		 */
  		if (err_chunk) {

  			packet = sctp_abort_pkt_new(net, ep, asoc, arg,

  					(__u8 *)(err_chunk->chunk_hdr) +

  					sizeof(struct sctp_chunkhdr),

  					ntohs(err_chunk->chunk_hdr->length) -

  					sizeof(struct sctp_chunkhdr));

  
  			sctp_chunk_free(err_chunk);
  
  			if (packet) {
  				sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
  						SCTP_PACKET(packet));

  				SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);

  				return SCTP_DISPOSITION_CONSUME;
  			} else {
  				return SCTP_DISPOSITION_NOMEM;
  			}
  		} else {

  			return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg,

  						    commands);
  		}
  	}

  	/* Grab the INIT header.  */

  	chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data;

  
  	/* Tag the variable length parameters.  */

  	chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr));

  
  	new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC);
  	if (!new_asoc)
  		goto nomem;

  	if (sctp_assoc_set_bind_addr_from_ep(new_asoc,
  					     sctp_scope(sctp_source(chunk)),
  					     GFP_ATOMIC) < 0)
  		goto nomem_init;

  	/* The call, sctp_process_init(), can fail on memory allocation.  */

  	if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk),

  			       (struct sctp_init_chunk *)chunk->chunk_hdr,

  			       GFP_ATOMIC))
  		goto nomem_init;

  	/* B) "Z" shall respond immediately with an INIT ACK chunk.  */
  
  	/* If there are errors need to be reported for unknown parameters,
  	 * make sure to reserve enough room in the INIT ACK for them.
  	 */
  	len = 0;
  	if (err_chunk)
  		len = ntohs(err_chunk->chunk_hdr->length) -

  		      sizeof(struct sctp_chunkhdr);

  	repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len);
  	if (!repl)

  		goto nomem_init;

  
  	/* If there are errors need to be reported for unknown parameters,
  	 * include them in the outgoing INIT ACK as "Unrecognized parameter"
  	 * parameter.
  	 */
  	if (err_chunk) {
  		/* Get the "Unrecognized parameter" parameter(s) out of the
  		 * ERROR chunk generated by sctp_verify_init(). Since the
  		 * error cause code for "unknown parameter" and the
  		 * "Unrecognized parameter" type is the same, we can
  		 * construct the parameters in INIT ACK by copying the
  		 * ERROR causes over.
  		 */

  		unk_param = (struct sctp_unrecognized_param *)

  			    ((__u8 *)(err_chunk->chunk_hdr) +

  			    sizeof(struct sctp_chunkhdr));

  		/* Replace the cause code with the "Unrecognized parameter"
  		 * parameter type.
  		 */
  		sctp_addto_chunk(repl, len, unk_param);
  		sctp_chunk_free(err_chunk);
  	}

  	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));

  	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
  
  	/*
  	 * Note:  After sending out INIT ACK with the State Cookie parameter,
  	 * "Z" MUST NOT allocate any resources, nor keep any states for the
  	 * new association.  Otherwise, "Z" will be vulnerable to resource
  	 * attacks.
  	 */
  	sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
  
  	return SCTP_DISPOSITION_DELETE_TCB;

  nomem_init:
  	sctp_association_free(new_asoc);
  nomem:

  	if (err_chunk)
  		sctp_chunk_free(err_chunk);

  	return SCTP_DISPOSITION_NOMEM;
  }
  
  /*
   * Respond to a normal INIT ACK chunk.
   * We are the side that is initiating the association.
   *
   * Section: 5.1 Normal Establishment of an Association, C
   * C) Upon reception of the INIT ACK from "Z", "A" shall stop the T1-init
   *    timer and leave COOKIE-WAIT state. "A" shall then send the State
   *    Cookie received in the INIT ACK chunk in a COOKIE ECHO chunk, start
   *    the T1-cookie timer, and enter the COOKIE-ECHOED state.
   *
   *    Note: The COOKIE ECHO chunk can be bundled with any pending outbound
   *    DATA chunks, but it MUST be the first chunk in the packet and
   *    until the COOKIE ACK is returned the sender MUST NOT send any
   *    other packets to the peer.
   *
   * Verification Tag: 3.3.3
   *   If the value of the Initiate Tag in a received INIT ACK chunk is
   *   found to be 0, the receiver MUST treat it as an error and close the
   *   association by transmitting an ABORT.
   *
   * Inputs
   * (endpoint, asoc, chunk)
   *
   * Outputs
   * (asoc, reply_msg, msg_up, timers, counters)
   *
   * The return value is the disposition of the chunk.
   */

  enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net,
  					  const struct sctp_endpoint *ep,
  					  const struct sctp_association *asoc,
  					  const union sctp_subtype type,
  					  void *arg,
  					  struct sctp_cmd_seq *commands)

  {

  	struct sctp_init_chunk *initchunk;

  	struct sctp_chunk *chunk = arg;

  	struct sctp_chunk *err_chunk;
  	struct sctp_packet *packet;

  
  	if (!sctp_vtag_verify(chunk, asoc))

  		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);

  	/* 6.10 Bundling
  	 * An endpoint MUST NOT bundle INIT, INIT ACK or
  	 * SHUTDOWN COMPLETE with any other chunks.
  	 */
  	if (!chunk->singleton)

  		return sctp_sf_violation_chunk(net, ep, asoc, type, arg, commands);

  	/* Make sure that the INIT-ACK chunk has a valid length */

  	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_initack_chunk)))

  		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,

  						  commands);

  	/* Grab the INIT header.  */

  	chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data;

  	/* Verify the INIT chunk before processing it. */
  	err_chunk = NULL;

  	if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,

  			      (struct sctp_init_chunk *)chunk->chunk_hdr, chunk,

  			      &err_chunk)) {

  		enum sctp_error error = SCTP_ERROR_NO_RESOURCE;

  		/* This chunk contains fatal error. It is to be discarded.

  		 * Send an ABORT, with causes.  If there are no causes,
  		 * then there wasn't enough memory.  Just terminate
  		 * the association.

  		 */
  		if (err_chunk) {

  			packet = sctp_abort_pkt_new(net, ep, asoc, arg,

  					(__u8 *)(err_chunk->chunk_hdr) +

  					sizeof(struct sctp_chunkhdr),

  					ntohs(err_chunk->chunk_hdr->length) -

  					sizeof(struct sctp_chunkhdr));

  
  			sctp_chunk_free(err_chunk);
  
  			if (packet) {
  				sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
  						SCTP_PACKET(packet));

  				SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);

  				error = SCTP_ERROR_INV_PARAM;

  			}

  		}

  
  		/* SCTP-AUTH, Section 6.3:
  		 *    It should be noted that if the receiver wants to tear
  		 *    down an association in an authenticated way only, the
  		 *    handling of malformed packets should not result in
  		 *    tearing down the association.
  		 *
  		 * This means that if we only want to abort associations
  		 * in an authenticated way (i.e AUTH+ABORT), then we

  		 * can't destroy this association just because the packet

  		 * was malformed.
  		 */
  		if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))

  			return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);

  		SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
  		return sctp_stop_t1_and_abort(net, commands, error, ECONNREFUSED,

  						asoc, chunk->transport);

  	}
  
  	/* Tag the variable length parameters.  Note that we never
  	 * convert the parameters in an INIT chunk.
  	 */

  	chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr));

  	initchunk = (struct sctp_init_chunk *)chunk->chunk_hdr;

  
  	sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT,
  			SCTP_PEER_INIT(initchunk));

  	/* Reset init error count upon receipt of INIT-ACK.  */
  	sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());

  	/* 5.1 C) "A" shall stop the T1-init timer and leave
  	 * COOKIE-WAIT state.  "A" shall then ... start the T1-cookie
  	 * timer, and enter the COOKIE-ECHOED state.
  	 */
  	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
  			SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
  	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
  			SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
  	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
  			SCTP_STATE(SCTP_STATE_COOKIE_ECHOED));

  	/* SCTP-AUTH: genereate the assocition shared keys so that
  	 * we can potentially signe the COOKIE-ECHO.
  	 */
  	sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL());

  	/* 5.1 C) "A" shall then send the State Cookie received in the
  	 * INIT ACK chunk in a COOKIE ECHO chunk, ...
  	 */
  	/* If there is any errors to report, send the ERROR chunk generated
  	 * for unknown parameters as well.
  	 */
  	sctp_add_cmd_sf(commands, SCTP_CMD_GEN_COOKIE_ECHO,
  			SCTP_CHUNK(err_chunk));
  
  	return SCTP_DISPOSITION_CONSUME;

  }

  static bool sctp_auth_chunk_verify(struct net *net, struct sctp_chunk *chunk,
  				   const struct sctp_association *asoc)
  {
  	struct sctp_chunk auth;
  
  	if (!chunk->auth_chunk)
  		return true;
  
  	/* SCTP-AUTH:  auth_chunk pointer is only set when the cookie-echo
  	 * is supposed to be authenticated and we have to do delayed
  	 * authentication.  We've just recreated the association using
  	 * the information in the cookie and now it's much easier to
  	 * do the authentication.
  	 */
  
  	/* Make sure that we and the peer are AUTH capable */
  	if (!net->sctp.auth_enable || !asoc->peer.auth_capable)
  		return false;
  
  	/* set-up our fake chunk so that we can process it */
  	auth.skb = chunk->auth_chunk;
  	auth.asoc = chunk->asoc;
  	auth.sctp_hdr = chunk->sctp_hdr;
  	auth.chunk_hdr = (struct sctp_chunkhdr *)
  				skb_push(chunk->auth_chunk,
  					 sizeof(struct sctp_chunkhdr));
  	skb_pull(chunk->auth_chunk, sizeof(struct sctp_chunkhdr));
  	auth.transport = chunk->transport;
  
  	return sctp_sf_authenticate(asoc, &auth) == SCTP_IERROR_NO_ERROR;
  }

  /*
   * Respond to a normal COOKIE ECHO chunk.
   * We are the side that is being asked for an association.
   *
   * Section: 5.1 Normal Establishment of an Association, D
   * D) Upon reception of the COOKIE ECHO chunk, Endpoint "Z" will reply
   *    with a COOKIE ACK chunk after building a TCB and moving to
   *    the ESTABLISHED state. A COOKIE ACK chunk may be bundled with
   *    any pending DATA chunks (and/or SACK chunks), but the COOKIE ACK
   *    chunk MUST be the first chunk in the packet.
   *
   *   IMPLEMENTATION NOTE: An implementation may choose to send the
   *   Communication Up notification to the SCTP user upon reception
   *   of a valid COOKIE ECHO chunk.
   *
   * Verification Tag: 8.5.1 Exceptions in Verification Tag Rules
   * D) Rules for packet carrying a COOKIE ECHO
   *
   * - When sending a COOKIE ECHO, the endpoint MUST use the value of the
   *   Initial Tag received in the INIT ACK.
   *
   * - The receiver of a COOKIE ECHO follows the procedures in Section 5.
   *
   * Inputs
   * (endpoint, asoc, chunk)
   *
   * Outputs
   * (asoc, reply_msg, msg_up, timers, counters)
   *
   * The return value is the disposition of the chunk.
   */

  enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net,
  					 const struct sctp_endpoint *ep,
  					 const struct sctp_association *asoc,
  					 const union sctp_subtype type,
  					 void *arg,
  					 struct sctp_cmd_seq *commands)

  {

  	struct sctp_ulpevent *ev, *ai_ev = NULL, *auth_ev = NULL;

  	struct sctp_association *new_asoc;

  	struct sctp_init_chunk *peer_init;

  	struct sctp_chunk *chunk = arg;

  	struct sctp_chunk *err_chk_p;

  	struct sctp_chunk *repl;

  	struct sock *sk;

  	int error = 0;

  
  	/* If the packet is an OOTB packet which is temporarily on the
  	 * control endpoint, respond with an ABORT.
  	 */

  	if (ep == sctp_sk(net->sctp.ctl_sock)->ep) {

  		SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);

  		return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);

  	}

  
  	/* Make sure that the COOKIE_ECHO chunk has a valid length.
  	 * In this case, we check that we have enough for at least a
  	 * chunk header.  More detailed verification is done
  	 * in sctp_unpack_cookie().
  	 */

  	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))

  		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);

  	/* If the endpoint is not listening or if the number of associations
  	 * on the TCP-style socket exceed the max backlog, respond with an
  	 * ABORT.
  	 */
  	sk = ep->base.sk;
  	if (!sctp_sstate(sk, LISTENING) ||
  	    (sctp_style(sk, TCP) && sk_acceptq_is_full(sk)))

  		return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);

  	/* "Decode" the chunk.  We have no optional parameters so we
  	 * are in good shape.
  	 */

  	chunk->subh.cookie_hdr =

  		(struct sctp_signed_cookie *)chunk->skb->data;

  	if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -

  					 sizeof(struct sctp_chunkhdr)))

  		goto nomem;

  
  	/* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint
  	 * "Z" will reply with a COOKIE ACK chunk after building a TCB
  	 * and moving to the ESTABLISHED state.
  	 */
  	new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error,
  				      &err_chk_p);
  
  	/* FIXME:
  	 * If the re-build failed, what is the proper error path
  	 * from here?
  	 *
  	 * [We should abort the association. --piggy]
  	 */
  	if (!new_asoc) {
  		/* FIXME: Several errors are possible.  A bad cookie should
  		 * be silently discarded, but think about logging it too.
  		 */
  		switch (error) {
  		case -SCTP_IERROR_NOMEM:
  			goto nomem;
  
  		case -SCTP_IERROR_STALE_COOKIE:

  			sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands,

  						   err_chk_p);

  			return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);

  
  		case -SCTP_IERROR_BAD_SIG:
  		default:

  			return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);

  		}

  	}

  	/* Delay state machine commands until later.
  	 *
  	 * Re-build the bind address for the association is done in

  	 * the sctp_unpack_cookie() already.
  	 */
  	/* This is a brand-new association, so these are not yet side
  	 * effects--it is safe to run them here.
  	 */
  	peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];

  	if (!sctp_process_init(new_asoc, chunk,

  			       &chunk->subh.cookie_hdr->c.peer_addr,

  			       peer_init, GFP_ATOMIC))
  		goto nomem_init;

  	/* SCTP-AUTH:  Now that we've populate required fields in
  	 * sctp_process_init, set up the assocaition shared keys as
  	 * necessary so that we can potentially authenticate the ACK
  	 */
  	error = sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC);
  	if (error)
  		goto nomem_init;

  	if (!sctp_auth_chunk_verify(net, chunk, new_asoc)) {
  		sctp_association_free(new_asoc);
  		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);

  	}

  	repl = sctp_make_cookie_ack(new_asoc, chunk);
  	if (!repl)

  		goto nomem_init;

  
  	/* RFC 2960 5.1 Normal Establishment of an Association
  	 *
  	 * D) IMPLEMENTATION NOTE: An implementation may choose to
  	 * send the Communication Up notification to the SCTP user
  	 * upon reception of a valid COOKIE ECHO chunk.
  	 */
  	ev = sctp_ulpevent_make_assoc_change(new_asoc, 0, SCTP_COMM_UP, 0,
  					     new_asoc->c.sinit_num_ostreams,
  					     new_asoc->c.sinit_max_instreams,

  					     NULL, GFP_ATOMIC);

  	if (!ev)
  		goto nomem_ev;

  	/* Sockets API Draft Section 5.3.1.6

  	 * When a peer sends a Adaptation Layer Indication parameter , SCTP

  	 * delivers this notification to inform the application that of the

  	 * peers requested adaptation layer.

  	 */

  	if (new_asoc->peer.adaptation_ind) {
  		ai_ev = sctp_ulpevent_make_adaptation_indication(new_asoc,

  							    GFP_ATOMIC);

  		if (!ai_ev)
  			goto nomem_aiev;
  	}

  	if (!new_asoc->peer.auth_capable) {
  		auth_ev = sctp_ulpevent_make_authkey(new_asoc, 0,
  						     SCTP_AUTH_NO_AUTH,
  						     GFP_ATOMIC);
  		if (!auth_ev)
  			goto nomem_authev;
  	}

  	/* Add all the state machine commands now since we've created
  	 * everything.  This way we don't introduce memory corruptions
  	 * during side-effect processing and correclty count established
  	 * associations.
  	 */
  	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
  	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
  			SCTP_STATE(SCTP_STATE_ESTABLISHED));

  	SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
  	SCTP_INC_STATS(net, SCTP_MIB_PASSIVEESTABS);

  	sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());

  	if (new_asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])

  		sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
  				SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));

  	/* This will send the COOKIE ACK */
  	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
  
  	/* Queue the ASSOC_CHANGE event */
  	sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
  
  	/* Send up the Adaptation Layer Indication event */
  	if (ai_ev)

  		sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,

  				SCTP_ULPEVENT(ai_ev));

  	if (auth_ev)
  		sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
  				SCTP_ULPEVENT(auth_ev));

  	return SCTP_DISPOSITION_CONSUME;

  nomem_authev:
  	sctp_ulpevent_free(ai_ev);

  nomem_aiev:
  	sctp_ulpevent_free(ev);

  nomem_ev:
  	sctp_chunk_free(repl);

  nomem_init:
  	sctp_association_free(new_asoc);
  nomem:
  	return SCTP_DISPOSITION_NOMEM;
  }
  
  /*
   * Respond to a normal COOKIE ACK chunk.

   * We are the side that is asking for an association.

   *
   * RFC 2960 5.1 Normal Establishment of an Association
   *
   * E) Upon reception of the COOKIE ACK, endpoint "A" will move from the
   *    COOKIE-ECHOED state to the ESTABLISHED state, stopping the T1-cookie
   *    timer. It may also notify its ULP about the successful
   *    establishment of the association with a Communication Up
   *    notification (see Section 10).
   *
   * Verification Tag:
   * Inputs
   * (endpoint, asoc, chunk)
   *
   * Outputs
   * (asoc, reply_msg, msg_up, timers, counters)
   *
   * The return value is the disposition of the chunk.
   */

  enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *net,
  					 const struct sctp_endpoint *ep,
  					 const struct sctp_association *asoc,
  					 const union sctp_subtype type,
  					 void *arg,
  					 struct sctp_cmd_seq *commands)

  {
  	struct sctp_chunk *chunk = arg;
  	struct sctp_ulpevent *ev;
  
  	if (!sctp_vtag_verify(chunk, asoc))

  		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);

  
  	/* Verify that the chunk length for the COOKIE-ACK is OK.
  	 * If we don't do this, any bundled chunks may be junked.
  	 */

  	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))

  		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,

  						  commands);
  
  	/* Reset init error count upon receipt of COOKIE-ACK,
  	 * to avoid problems with the managemement of this
  	 * counter in stale cookie situations when a transition back
  	 * from the COOKIE-ECHOED state to the COOKIE-WAIT
  	 * state is performed.
  	 */

  	sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());

  	/* Set peer label for connection. */
  	security_inet_conn_established(ep->base.sk, chunk->skb);

  	/* RFC 2960 5.1 Normal Establishment of an Association
  	 *
  	 * E) Upon reception of the COOKIE ACK, endpoint "A" will move
  	 * from the COOKIE-ECHOED state to the ESTABLISHED state,
  	 * stopping the T1-cookie timer.
  	 */
  	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
  			SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
  	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
  			SCTP_STATE(SCTP_STATE_ESTABLISHED));

  	SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
  	SCTP_INC_STATS(net, SCTP_MIB_ACTIVEESTABS);

  	sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());

  	if (asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE])

  		sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_START,
  				SCTP_TO(SCTP_EVENT_TIMEOUT_AUTOCLOSE));

  
  	/* It may also notify its ULP about the successful
  	 * establishment of the association with a Communication Up
  	 * notification (see Section 10).
  	 */
  	ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_COMM_UP,
  					     0, asoc->c.sinit_num_ostreams,
  					     asoc->c.sinit_max_instreams,

  					     NULL, GFP_ATOMIC);

  
  	if (!ev)
  		goto nomem;
  
  	sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
  
  	/* Sockets API Draft Section 5.3.1.6

  	 * When a peer sends a Adaptation Layer Indication parameter , SCTP

  	 * delivers this notification to inform the application that of the

  	 * peers requested adaptation layer.

  	 */

  	if (asoc->peer.adaptation_ind) {
  		ev = sctp_ulpevent_make_adaptation_indication(asoc, GFP_ATOMIC);

  		if (!ev)
  			goto nomem;
  
  		sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
  				SCTP_ULPEVENT(ev));
  	}

  	if (!asoc->peer.auth_capable) {
  		ev = sctp_ulpevent_make_authkey(asoc, 0, SCTP_AUTH_NO_AUTH,
  						GFP_ATOMIC);
  		if (!ev)
  			goto nomem;
  		sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
  				SCTP_ULPEVENT(ev));
  	}

  	return SCTP_DISPOSITION_CONSUME;
  nomem:
  	return SCTP_DISPOSITION_NOMEM;
  }
  
  /* Generate and sendout a heartbeat packet.  */

  static enum sctp_disposition sctp_sf_heartbeat(
  					const struct sctp_endpoint *ep,
  					const struct sctp_association *asoc,
  					const union sctp_subtype type,
  					void *arg,
  					struct sctp_cmd_seq *commands)

  {
  	struct sctp_transport *transport = (struct sctp_transport *) arg;
  	struct sctp_chunk *reply;

  
  	/* Send a heartbeat to our peer.  */

  	reply = sctp_make_heartbeat(asoc, transport);

  	if (!reply)
  		return SCTP_DISPOSITION_NOMEM;
  
  	/* Set rto_pending indicating that an RTT measurement
  	 * is started with this heartbeat chunk.
  	 */
  	sctp_add_cmd_sf(commands, SCTP_CMD_RTO_PENDING,
  			SCTP_TRANSPORT(transport));
  
  	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
  	return SCTP_DISPOSITION_CONSUME;
  }
  
  /* Generate a HEARTBEAT packet on the given transport.  */

  enum sctp_disposition sctp_sf_sendbeat_8_3(struct net *net,
  					   const struct sctp_endpoint *ep,
  					   const struct sctp_association *asoc,
  					   const union sctp_subtype type,
  					   void *arg,
  					   struct sctp_cmd_seq *commands)

  {
  	struct sctp_transport *transport = (struct sctp_transport *) arg;

  	if (asoc->overall_error_count >= asoc->max_retrans) {

  		sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
  				SCTP_ERROR(ETIMEDOUT));

  		/* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
  		sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,

  				SCTP_PERR(SCTP_ERROR_NO_ERROR));

  		SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
  		SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);

  		return SCTP_DISPOSITION_DELETE_TCB;
  	}
  
  	/* Section 3.3.5.
  	 * The Sender-specific Heartbeat Info field should normally include
  	 * information about the sender's current time when this HEARTBEAT
  	 * chunk is sent and the destination transport address to which this
  	 * HEARTBEAT is sent (see Section 8.3).
  	 */

  	if (transport->param_flags & SPP_HB_ENABLE) {

  		if (SCTP_DISPOSITION_NOMEM ==
  				sctp_sf_heartbeat(ep, asoc, type, arg,
  						  commands))
  			return SCTP_DISPOSITION_NOMEM;

  		/* Set transport error counter and association error counter
  		 * when sending heartbeat.
  		 */

  		sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_HB_SENT,

  				SCTP_TRANSPORT(transport));
  	}

  	sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_IDLE,
  			SCTP_TRANSPORT(transport));

  	sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMER_UPDATE,
  			SCTP_TRANSPORT(transport));

  	return SCTP_DISPOSITION_CONSUME;

  }

  /* resend asoc strreset_chunk.  */

  enum sctp_disposition sctp_sf_send_reconf(struct net *net,
  					  const struct sctp_endpoint *ep,
  					  const struct sctp_association *asoc,
  					  const union sctp_subtype type,
  					  void *arg,
  					  struct sctp_cmd_seq *commands)

  {
  	struct sctp_transport *transport = arg;
  
  	if (asoc->overall_error_count >= asoc->max_retrans) {
  		sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
  				SCTP_ERROR(ETIMEDOUT));
  		/* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
  		sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
  				SCTP_PERR(SCTP_ERROR_NO_ERROR));
  		SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
  		SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
  		return SCTP_DISPOSITION_DELETE_TCB;
  	}
  
  	sctp_chunk_hold(asoc->strreset_chunk);
  	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
  			SCTP_CHUNK(asoc->strreset_chunk));
  	sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport));
  
  	return SCTP_DISPOSITION_CONSUME;
  }

  /*
   * Process an heartbeat request.
   *
   * Section: 8.3 Path Heartbeat
   * The receiver of the HEARTBEAT should immediately respond with a
   * HEARTBEAT ACK that contains the Heartbeat Information field copied
   * from the received HEARTBEAT chunk.
   *
   * Verification Tag:  8.5 Verification Tag [Normal verification]
   * When receiving an SCTP packet, the endpoint MUST ensure that the
   * value in the Verification Tag field of the received SCTP packet
   * matches its own Tag. If the received Verification Tag value does not
   * match the receiver's own tag value, the receiver shall silently
   * discard the packet and shall not process it any further except for
   * those cases listed in Section 8.5.1 below.
   *
   * Inputs
   * (endpoint, asoc, chunk)
   *
   * Outputs
   * (asoc, reply_msg, msg_up, timers, counters)
   *
   * The return value is the disposition of the chunk.
   */

  enum sctp_disposition sctp_sf_beat_8_3(struct net *net,
  				       const struct sctp_endpoint *ep,
  				       const struct sctp_association *asoc,
  				       const union sctp_subtype type,
  				       void *arg, struct sctp_cmd_seq *commands)

  {

  	struct sctp_paramhdr *param_hdr;

  	struct sctp_chunk *chunk = arg;
  	struct sctp_chunk *reply;
  	size_t paylen = 0;
  
  	if (!sctp_vtag_verify(chunk, asoc))

  		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);

  
  	/* Make sure that the HEARTBEAT chunk has a valid length. */

  	if (!sctp_chunk_length_valid(chunk,
  				     sizeof(struct sctp_heartbeat_chunk)))

  		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,

  						  commands);
  
  	/* 8.3 The receiver of the HEARTBEAT should immediately
  	 * respond with a HEARTBEAT ACK that contains the Heartbeat
  	 * Information field copied from the received HEARTBEAT chunk.
  	 */

  	chunk->subh.hb_hdr = (struct sctp_heartbeathdr *)chunk->skb->data;

  	param_hdr = (struct sctp_paramhdr *)chunk->subh.hb_hdr;

  	paylen = ntohs(chunk->chunk_hdr->length) - sizeof(struct sctp_chunkhdr);

  
  	if (ntohs(param_hdr->length) > paylen)
  		return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
  						  param_hdr, commands);

  	if (!pskb_pull(chunk->skb, paylen))
  		goto nomem;

  	reply = sctp_make_heartbeat_ack(asoc, chunk, param_hdr, paylen);

  	if (!reply)
  		goto nomem;
  
  	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
  	return SCTP_DISPOSITION_CONSUME;
  
  nomem:
  	return SCTP_DISPOSITION_NOMEM;
  }
  
  /*
   * Process the returning HEARTBEAT ACK.
   *
   * Section: 8.3 Path Heartbeat
   * Upon the receipt of the HEARTBEAT ACK, the sender of the HEARTBEAT
   * should clear the error counter of the destination transport
   * address to which the HEARTBEAT was sent, and mark the destination
   * transport address as active if it is not so marked. The endpoint may
   * optionally report to the upper layer when an inactive destination
   * address is marked as active due to the reception of the latest
   * HEARTBEAT ACK. The receiver of the HEARTBEAT ACK must also
   * clear the association overall error count as well (as defined
   * in section 8.1).
   *
   * The receiver of the HEARTBEAT ACK should also perform an RTT
   * measurement for that destination transport address using the time
   * value carried in the HEARTBEAT ACK chunk.
   *
   * Verification Tag:  8.5 Verification Tag [Normal verification]
   *
   * Inputs
   * (endpoint, asoc, chunk)
   *
   * Outputs
   * (asoc, reply_msg, msg_up, timers, counters)
   *
   * The return value is the disposition of the chunk.
   */

  enum sctp_disposition sctp_sf_backbeat_8_3(struct net *net,
  					   const struct sctp_endpoint *ep,
  					   const struct sctp_association *asoc,
  					   const union sctp_subtype type,
  					   void *arg,
  					   struct sctp_cmd_seq *commands)

  {

  	struct sctp_sender_hb_info *hbinfo;

  	struct sctp_chunk *chunk = arg;

  	struct sctp_transport *link;

  	unsigned long max_interval;

  	union sctp_addr from_addr;

  
  	if (!sctp_vtag_verify(chunk, asoc))

  		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);

  
  	/* Make sure that the HEARTBEAT-ACK chunk has a valid length.  */

  	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr) +

  					    sizeof(*hbinfo)))

  		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,

  						  commands);

  	hbinfo = (struct sctp_sender_hb_info *)chunk->skb->data;

  	/* Make sure that the length of the parameter is what we expect */

  	if (ntohs(hbinfo->param_hdr.length) != sizeof(*hbinfo))

  		return SCTP_DISPOSITION_DISCARD;

  	from_addr = hbinfo->daddr;

  	link = sctp_assoc_lookup_paddr(asoc, &from_addr);

  
  	/* This should never happen, but lets log it if so.  */

  	if (unlikely(!link)) {
  		if (from_addr.sa.sa_family == AF_INET6) {

  			net_warn_ratelimited("%s association %p could not find address %pI6
  ",
  					     __func__,
  					     asoc,
  					     &from_addr.v6.sin6_addr);

  		} else {

  			net_warn_ratelimited("%s association %p could not find address %pI4
  ",
  					     __func__,
  					     asoc,
  					     &from_addr.v4.sin_addr.s_addr);

  		}

  		return SCTP_DISPOSITION_DISCARD;
  	}

  	/* Validate the 64-bit random nonce. */
  	if (hbinfo->hb_nonce != link->hb_nonce)
  		return SCTP_DISPOSITION_DISCARD;

  	max_interval = link->hbinterval + link->rto;

  
  	/* Check if the timestamp looks valid.  */
  	if (time_after(hbinfo->sent_at, jiffies) ||
  	    time_after(jiffies, hbinfo->sent_at + max_interval)) {

  		pr_debug("%s: HEARTBEAT ACK with invalid timestamp received "
  			 "for transport:%p
  ", __func__, link);

  		return SCTP_DISPOSITION_DISCARD;
  	}
  
  	/* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of
  	 * the HEARTBEAT should clear the error counter of the
  	 * destination transport address to which the HEARTBEAT was
  	 * sent and mark the destination transport address as active if
  	 * it is not so marked.
  	 */
  	sctp_add_cmd_sf(commands, SCTP_CMD_TRANSPORT_ON, SCTP_TRANSPORT(link));
  
  	return SCTP_DISPOSITION_CONSUME;
  }
  
  /* Helper function to send out an abort for the restart
   * condition.
   */

  static int sctp_sf_send_restart_abort(struct net *net, union sctp_addr *ssa,

  				      struct sctp_chunk *init,

  				      struct sctp_cmd_seq *commands)

  {

  	struct sctp_af *af = sctp_get_af_specific(ssa->v4.sin_family);

  	union sctp_addr_param *addrparm;
  	struct sctp_errhdr *errhdr;

  	char buffer[sizeof(*errhdr) + sizeof(*addrparm)];

  	struct sctp_endpoint *ep;
  	struct sctp_packet *pkt;
  	int len;

  
  	/* Build the error on the stack.   We are way to malloc crazy
  	 * throughout the code today.
  	 */
  	errhdr = (struct sctp_errhdr *)buffer;
  	addrparm = (union sctp_addr_param *)errhdr->variable;
  
  	/* Copy into a parm format. */
  	len = af->to_addr_param(ssa, addrparm);

  	len += sizeof(*errhdr);

  
  	errhdr->cause = SCTP_ERROR_RESTART;
  	errhdr->length = htons(len);
  
  	/* Assign to the control socket. */

  	ep = sctp_sk(net->sctp.ctl_sock)->ep;

  
  	/* Association is NULL since this may be a restart attack and we
  	 * want to send back the attacker's vtag.
  	 */

  	pkt = sctp_abort_pkt_new(net, ep, NULL, init, errhdr, len);

  
  	if (!pkt)
  		goto out;
  	sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, SCTP_PACKET(pkt));

  	SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);

  
  	/* Discard the rest of the inbound packet. */
  	sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL());
  
  out:
  	/* Even if there is no memory, treat as a failure so
  	 * the packet will get dropped.
  	 */
  	return 0;
  }

  static bool list_has_sctp_addr(const struct list_head *list,
  			       union sctp_addr *ipaddr)
  {
  	struct sctp_transport *addr;
  
  	list_for_each_entry(addr, list, transports) {
  		if (sctp_cmp_addr_exact(ipaddr, &addr->ipaddr))
  			return true;
  	}
  
  	return false;
  }

  /* A restart is occurring, check to make sure no new addresses
   * are being added as we may be under a takeover attack.
   */
  static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc,
  				       const struct sctp_association *asoc,
  				       struct sctp_chunk *init,

  				       struct sctp_cmd_seq *commands)

  {

  	struct net *net = new_asoc->base.net;

  	struct sctp_transport *new_addr;
  	int ret = 1;

  	/* Implementor's Guide - Section 5.2.2

  	 * ...
  	 * Before responding the endpoint MUST check to see if the
  	 * unexpected INIT adds new addresses to the association. If new
  	 * addresses are added to the association, the endpoint MUST respond
  	 * with an ABORT..
  	 */
  
  	/* Search through all current addresses and make sure
  	 * we aren't adding any new ones.
  	 */

  	list_for_each_entry(new_addr, &new_asoc->peer.transport_addr_list,

  			    transports) {
  		if (!list_has_sctp_addr(&asoc->peer.transport_addr_list,
  					&new_addr->ipaddr)) {

  			sctp_sf_send_restart_abort(net, &new_addr->ipaddr, init,

  						   commands);
  			ret = 0;

  			break;

  		}

  	}
  
  	/* Return success if all addresses were found. */

  	return ret;

  }
  
  /* Populate the verification/tie tags based on overlapping INIT
   * scenario.
   *
   * Note: Do not use in CLOSED or SHUTDOWN-ACK-SENT state.
   */
  static void sctp_tietags_populate(struct sctp_association *new_asoc,
  				  const struct sctp_association *asoc)
  {
  	switch (asoc->state) {
  
  	/* 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State */
  
  	case SCTP_STATE_COOKIE_WAIT:
  		new_asoc->c.my_vtag     = asoc->c.my_vtag;
  		new_asoc->c.my_ttag     = asoc->c.my_vtag;
  		new_asoc->c.peer_ttag   = 0;
  		break;
  
  	case SCTP_STATE_COOKIE_ECHOED:
  		new_asoc->c.my_vtag     = asoc->c.my_vtag;
  		new_asoc->c.my_ttag     = asoc->c.my_vtag;
  		new_asoc->c.peer_ttag   = asoc->c.peer_vtag;
  		break;
  
  	/* 5.2.2 Unexpected INIT in States Other than CLOSED, COOKIE-ECHOED,
  	 * COOKIE-WAIT and SHUTDOWN-ACK-SENT
  	 */
  	default:
  		new_asoc->c.my_ttag   = asoc->c.my_vtag;
  		new_asoc->c.peer_ttag = asoc->c.peer_vtag;
  		break;

  	}

  
  	/* Other parameters for the endpoint SHOULD be copied from the
  	 * existing parameters of the association (e.g. number of
  	 * outbound streams) into the INIT ACK and cookie.
  	 */
  	new_asoc->rwnd                  = asoc->rwnd;
  	new_asoc->c.sinit_num_ostreams  = asoc->c.sinit_num_ostreams;
  	new_asoc->c.sinit_max_instreams = asoc->c.sinit_max_instreams;
  	new_asoc->c.initial_tsn         = asoc->c.initial_tsn;
  }
  
  /*
   * Compare vtag/tietag values to determine unexpected COOKIE-ECHO
   * handling action.
   *
   * RFC 2960 5.2.4 Handle a COOKIE ECHO when a TCB exists.
   *
   * Returns value representing action to be taken.   These action values
   * correspond to Action/Description values in RFC 2960, Table 2.
   */
  static char sctp_tietags_compare(struct sctp_association *new_asoc,
  				 const struct sctp_association *asoc)
  {
  	/* In this case, the peer may have restarted.  */
  	if ((asoc->c.my_vtag != new_asoc->c.my_vtag) &&
  	    (asoc->c.peer_vtag != new_asoc->c.peer_vtag) &&
  	    (asoc->c.my_vtag == new_asoc->c.my_ttag) &&
  	    (asoc->c.peer_vtag == new_asoc->c.peer_ttag))
  		return 'A';
  
  	/* Collision case B. */
  	if ((asoc->c.my_vtag == new_asoc->c.my_vtag) &&
  	    ((asoc->c.peer_vtag != new_asoc->c.peer_vtag) ||
  	     (0 == asoc->c.peer_vtag))) {
  		return 'B';
  	}
  
  	/* Collision case D. */
  	if ((asoc->c.my_vtag == new_asoc->c.my_vtag) &&
  	    (asoc->c.peer_vtag == new_asoc->c.peer_vtag))
  		return 'D';
  
  	/* Collision case C. */
  	if ((asoc->c.my_vtag != new_asoc->c.my_vtag) &&
  	    (asoc->c.peer_vtag == new_asoc->c.peer_vtag) &&
  	    (0 == new_asoc->c.my_ttag) &&
  	    (0 == new_asoc->c.peer_ttag))
  		return 'C';
  
  	/* No match to any of the special cases; discard this packet. */
  	return 'E';
  }
  
  /* Common helper routine for both duplicate and simulataneous INIT
   * chunk handling.
   */

  static enum sctp_disposition sctp_sf_do_unexpected_init(
  					struct net *net,
  					const struct sctp_endpoint *ep,
  					const struct sctp_association *asoc,
  					const union sctp_subtype type,
  					void *arg,
  					struct sctp_cmd_seq *commands)

  {

  	struct sctp_chunk *chunk = arg, *repl, *err_chunk;
  	struct sctp_unrecognized_param *unk_param;

  	struct sctp_association *new_asoc;

  	enum sctp_disposition retval;

  	struct sctp_packet *packet;

  	int len;

  	/* Update socket peer label if first association. */
  	if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
  					chunk->skb))
  		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);

  	/* 6.10 Bundling
  	 * An endpoint MUST NOT bundle INIT, INIT ACK or
  	 * SHUTDOWN COMPLETE with any other chunks.
  	 *
  	 * IG Section 2.11.2
  	 * Furthermore, we require that the receiver of an INIT chunk MUST
  	 * enforce these rules by silently discarding an arriving packet
  	 * with an INIT chunk that is bundled with other chunks.
  	 */
  	if (!chunk->singleton)

  		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);

  
  	/* 3.1 A packet containing an INIT chunk MUST have a zero Verification

  	 * Tag.

  	 */
  	if (chunk->sctp_hdr->vtag != 0)

  		return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);

  
  	/* Make sure that the INIT chunk has a valid length.
  	 * In this case, we generate a protocol violation since we have
  	 * an association established.
  	 */

  	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk)))

  		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,

  						  commands);
  	/* Grab the INIT header.  */

  	chunk->subh.init_hdr = (struct sctp_inithdr *)chunk->skb->data;

  
  	/* Tag the variable length parameters.  */

  	chunk->param_hdr.v = skb_pull(chunk->skb, sizeof(struct sctp_inithdr));

  
  	/* Verify the INIT chunk before processing it. */
  	err_chunk = NULL;

  	if (!sctp_verify_init(net, ep, asoc, chunk->chunk_hdr->type,

  			      (struct sctp_init_chunk *)chunk->chunk_hdr, chunk,

  			      &err_chunk)) {
  		/* This chunk contains fatal error. It is to be discarded.
  		 * Send an ABORT, with causes if there is any.
  		 */
  		if (err_chunk) {

  			packet = sctp_abort_pkt_new(net, ep, asoc, arg,

  					(__u8 *)(err_chunk->chunk_hdr) +

  					sizeof(struct sctp_chunkhdr),

  					ntohs(err_chunk->chunk_hdr->length) -

  					sizeof(struct sctp_chunkhdr));

  
  			if (packet) {
  				sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
  						SCTP_PACKET(packet));

  				SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);

  				retval = SCTP_DISPOSITION_CONSUME;
  			} else {
  				retval = SCTP_DISPOSITION_NOMEM;
  			}
  			goto cleanup;
  		} else {

  			return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg,

  						    commands);
  		}
  	}
  
  	/*
  	 * Other parameters for the endpoint SHOULD be copied from the
  	 * existing parameters of the association (e.g. number of
  	 * outbound streams) into the INIT ACK and cookie.
  	 * FIXME:  We are copying parameters from the endpoint not the
  	 * association.
  	 */
  	new_asoc = sctp_make_temp_asoc(ep, chunk, GFP_ATOMIC);
  	if (!new_asoc)
  		goto nomem;

  	if (sctp_assoc_set_bind_addr_from_ep(new_asoc,
  				sctp_scope(sctp_source(chunk)), GFP_ATOMIC) < 0)
  		goto nomem;

  	/* In the outbound INIT ACK the endpoint MUST copy its current
  	 * Verification Tag and Peers Verification tag into a reserved
  	 * place (local tie-tag and per tie-tag) within the state cookie.
  	 */

  	if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk),

  			       (struct sctp_init_chunk *)chunk->chunk_hdr,

  			       GFP_ATOMIC))
  		goto nomem;

  
  	/* Make sure no new addresses are being added during the
  	 * restart.   Do not do this check for COOKIE-WAIT state,
  	 * since there are no peer addresses to check against.
  	 * Upon return an ABORT will have been sent if needed.
  	 */
  	if (!sctp_state(asoc, COOKIE_WAIT)) {
  		if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk,
  						 commands)) {
  			retval = SCTP_DISPOSITION_CONSUME;

  			goto nomem_retval;

  		}
  	}
  
  	sctp_tietags_populate(new_asoc, asoc);
  
  	/* B) "Z" shall respond immediately with an INIT ACK chunk.  */
  
  	/* If there are errors need to be reported for unknown parameters,
  	 * make sure to reserve enough room in the INIT ACK for them.
  	 */
  	len = 0;
  	if (err_chunk) {
  		len = ntohs(err_chunk->chunk_hdr->length) -

  		      sizeof(struct sctp_chunkhdr);

  	}

  	repl = sctp_make_init_ack(new_asoc, chunk, GFP_ATOMIC, len);
  	if (!repl)
  		goto nomem;
  
  	/* If there are errors need to be reported for unknown parameters,
  	 * include them in the outgoing INIT ACK as "Unrecognized parameter"
  	 * parameter.
  	 */
  	if (err_chunk) {
  		/* Get the "Unrecognized parameter" parameter(s) out of the
  		 * ERROR chunk generated by sctp_verify_init(). Since the
  		 * error cause code for "unknown parameter" and the
  		 * "Unrecognized parameter" type is the same, we can
  		 * construct the parameters in INIT ACK by copying the
  		 * ERROR causes over.
  		 */

  		unk_param = (struct sctp_unrecognized_param *)

  			    ((__u8 *)(err_chunk->chunk_hdr) +

  			    sizeof(struct sctp_chunkhdr));

  		/* Replace the cause code with the "Unrecognized parameter"
  		 * parameter type.
  		 */
  		sctp_addto_chunk(repl, len, unk_param);
  	}
  
  	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
  	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
  
  	/*
  	 * Note: After sending out INIT ACK with the State Cookie parameter,
  	 * "Z" MUST NOT allocate any resources for this new association.
  	 * Otherwise, "Z" will be vulnerable to resource attacks.
  	 */
  	sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
  	retval = SCTP_DISPOSITION_CONSUME;

  	return retval;
  
  nomem:
  	retval = SCTP_DISPOSITION_NOMEM;
  nomem_retval:
  	if (new_asoc)
  		sctp_association_free(new_asoc);

  cleanup:
  	if (err_chunk)
  		sctp_chunk_free(err_chunk);
  	return retval;

  }
  
  /*

   * Handle simultaneous INIT.

   * This means we started an INIT and then we got an INIT request from
   * our peer.
   *
   * Section: 5.2.1 INIT received in COOKIE-WAIT or COOKIE-ECHOED State (Item B)
   * This usually indicates an initialization collision, i.e., each
   * endpoint is attempting, at about the same time, to establish an
   * association with the other endpoint.
   *
   * Upon receipt of an INIT in the COOKIE-WAIT or COOKIE-ECHOED state, an
   * endpoint MUST respond with an INIT ACK using the same parameters it
   * sent in its original INIT chunk (including its Verification Tag,
   * unchanged). These original parameters are combined with those from the
   * newly received INIT chunk. The endpoint shall also generate a State
   * Cookie with the INIT ACK. The endpoint uses the parameters sent in its
   * INIT to calculate the State Cookie.
   *
   * After that, the endpoint MUST NOT change its state, the T1-init
   * timer shall be left running and the corresponding TCB MUST NOT be
   * destroyed. The normal procedures for handling State Cookies when
   * a TCB exists will resolve the duplicate INITs to a single association.
   *
   * For an endpoint that is in the COOKIE-ECHOED state it MUST populate
   * its Tie-Tags with the Tag information of itself and its peer (see
   * section 5.2.2 for a description of the Tie-Tags).
   *
   * Verification Tag: Not explicit, but an INIT can not have a valid
   * verification tag, so we skip the check.
   *
   * Inputs
   * (endpoint, asoc, chunk)
   *
   * Outputs
   * (asoc, reply_msg, msg_up, timers, counters)
   *
   * The return value is the disposition of the chunk.
   */

  enum sctp_disposition sctp_sf_do_5_2_1_siminit(
  					struct net *net,
  					const struct sctp_endpoint *ep,
  					const struct sctp_association *asoc,
  					const union sctp_subtype type,
  					void *arg,
  					struct sctp_cmd_seq *commands)

  {
  	/* Call helper to do the real work for both simulataneous and
  	 * duplicate INIT chunk handling.
  	 */

  	return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands);

  }
  
  /*
   * Handle duplicated INIT messages.  These are usually delayed
   * restransmissions.
   *
   * Section: 5.2.2 Unexpected INIT in States Other than CLOSED,
   * COOKIE-ECHOED and COOKIE-WAIT
   *
   * Unless otherwise stated, upon reception of an unexpected INIT for
   * this association, the endpoint shall generate an INIT ACK with a
   * State Cookie.  In the outbound INIT ACK the endpoint MUST copy its
   * current Verification Tag and peer's Verification Tag into a reserved
   * place within the state cookie.  We shall refer to these locations as
   * the Peer's-Tie-Tag and the Local-Tie-Tag.  The outbound SCTP packet
   * containing this INIT ACK MUST carry a Verification Tag value equal to
   * the Initiation Tag found in the unexpected INIT.  And the INIT ACK
   * MUST contain a new Initiation Tag (randomly generated see Section
   * 5.3.1).  Other parameters for the endpoint SHOULD be copied from the
   * existing parameters of the association (e.g. number of outbound
   * streams) into the INIT ACK and cookie.
   *
   * After sending out the INIT ACK, the endpoint shall take no further
   * actions, i.e., the existing association, including its current state,
   * and the corresponding TCB MUST NOT be changed.
   *
   * Note: Only when a TCB exists and the association is not in a COOKIE-
   * WAIT state are the Tie-Tags populated.  For a normal association INIT
   * (i.e. the endpoint is in a COOKIE-WAIT state), the Tie-Tags MUST be
   * set to 0 (indicating that no previous TCB existed).  The INIT ACK and
   * State Cookie are populated as specified in section 5.2.1.
   *
   * Verification Tag: Not specified, but an INIT has no way of knowing
   * what the verification tag could be, so we ignore it.
   *
   * Inputs
   * (endpoint, asoc, chunk)
   *
   * Outputs
   * (asoc, reply_msg, msg_up, timers, counters)
   *
   * The return value is the disposition of the chunk.
   */

  enum sctp_disposition sctp_sf_do_5_2_2_dupinit(
  					struct net *net,

  					const struct sctp_endpoint *ep,

  					const struct sctp_association *asoc,

  					const union sctp_subtype type,

  					void *arg,

  					struct sctp_cmd_seq *commands)

  {
  	/* Call helper to do the real work for both simulataneous and
  	 * duplicate INIT chunk handling.
  	 */

  	return sctp_sf_do_unexpected_init(net, ep, asoc, type, arg, commands);

  }

  /*
   * Unexpected INIT-ACK handler.
   *
   * Section 5.2.3
   * If an INIT ACK received by an endpoint in any state other than the
   * COOKIE-WAIT state, the endpoint should discard the INIT ACK chunk.
   * An unexpected INIT ACK usually indicates the processing of an old or
   * duplicated INIT chunk.
  */

  enum sctp_disposition sctp_sf_do_5_2_3_initack(
  					struct net *net,
  					const struct sctp_endpoint *ep,
  					const struct sctp_association *asoc,
  					const union sctp_subtype type,
  					void *arg,
  					struct sctp_cmd_seq *commands)

  {
  	/* Per the above section, we'll discard the chunk if we have an
  	 * endpoint.  If this is an OOTB INIT-ACK, treat it as such.
  	 */

  	if (ep == sctp_sk(net->sctp.ctl_sock)->ep)

  		return sctp_sf_ootb(net, ep, asoc, type, arg, commands);

  	else

  		return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);

  }

  
  /* Unexpected COOKIE-ECHO handler for peer restart (Table 2, action 'A')
   *
   * Section 5.2.4
   *  A)  In this case, the peer may have restarted.
   */

  static enum sctp_disposition sctp_sf_do_dupcook_a(
  					struct net *net,

  					const struct sctp_endpoint *ep,

  					const struct sctp_association *asoc,
  					struct sctp_chunk *chunk,

  					struct sctp_cmd_seq *commands,

  					struct sctp_association *new_asoc)
  {

  	struct sctp_init_chunk *peer_init;

  	enum sctp_disposition disposition;

  	struct sctp_ulpevent *ev;
  	struct sctp_chunk *repl;
  	struct sctp_chunk *err;

  
  	/* new_asoc is a brand-new association, so these are not yet
  	 * side effects--it is safe to run them here.
  	 */
  	peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];

  	if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init,

  			       GFP_ATOMIC))
  		goto nomem;

  	if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
  		goto nomem;

  	if (!sctp_auth_chunk_verify(net, chunk, new_asoc))
  		return SCTP_DISPOSITION_DISCARD;

  	/* Make sure no new addresses are being added during the
  	 * restart.  Though this is a pretty complicated attack
  	 * since you'd have to get inside the cookie.
  	 */

  	if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands))

  		return SCTP_DISPOSITION_CONSUME;

  
  	/* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes
  	 * the peer has restarted (Action A), it MUST NOT setup a new
  	 * association but instead resend the SHUTDOWN ACK and send an ERROR
  	 * chunk with a "Cookie Received while Shutting Down" error cause to
  	 * its peer.
  	*/
  	if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) {

  		disposition = sctp_sf_do_9_2_reshutack(net, ep, asoc,

  				SCTP_ST_CHUNK(chunk->chunk_hdr->type),
  				chunk, commands);
  		if (SCTP_DISPOSITION_NOMEM == disposition)
  			goto nomem;
  
  		err = sctp_make_op_error(asoc, chunk,
  					 SCTP_ERROR_COOKIE_IN_SHUTDOWN,

  					 NULL, 0, 0);

  		if (err)
  			sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
  					SCTP_CHUNK(err));
  
  		return SCTP_DISPOSITION_CONSUME;
  	}

  	/* For now, stop pending T3-rtx and SACK timers, fail any unsent/unacked
  	 * data. Consider the optional choice of resending of this data.

  	 */

  	sctp_add_cmd_sf(commands, SCTP_CMD_T3_RTX_TIMERS_STOP, SCTP_NULL());
  	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
  			SCTP_TO(SCTP_EVENT_TIMEOUT_SACK));

  	sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL());

  	/* Stop pending T4-rto timer, teardown ASCONF queue, ASCONF-ACK queue
  	 * and ASCONF-ACK cache.
  	 */
  	sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
  			SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
  	sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_ASCONF_QUEUE, SCTP_NULL());

  	repl = sctp_make_cookie_ack(new_asoc, chunk);
  	if (!repl)
  		goto nomem;

  	/* Report association restart to upper layer. */
  	ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0,
  					     new_asoc->c.sinit_num_ostreams,
  					     new_asoc->c.sinit_max_instreams,

  					     NULL, GFP_ATOMIC);

  	if (!ev)
  		goto nomem_ev;

  	/* Update the content of current association. */
  	sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));

  	sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));

  	if ((sctp_state(asoc, SHUTDOWN_PENDING) ||
  	     sctp_state(asoc, SHUTDOWN_SENT)) &&

  	    (sctp_sstate(asoc->base.sk, CLOSING) ||
  	     sock_flag(asoc->base.sk, SOCK_DEAD))) {

  		/* If the socket has been closed by user, don't
  		 * transition to ESTABLISHED. Instead trigger SHUTDOWN
  		 * bundled with COOKIE_ACK.

  		 */
  		sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
  		return sctp_sf_do_9_2_start_shutdown(net, ep, asoc,

  						     SCTP_ST_CHUNK(0), repl,

  						     commands);
  	} else {
  		sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
  				SCTP_STATE(SCTP_STATE_ESTABLISHED));
  		sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
  	}

  	return SCTP_DISPOSITION_CONSUME;
  
  nomem_ev:
  	sctp_chunk_free(repl);
  nomem:
  	return SCTP_DISPOSITION_NOMEM;
  }
  
  /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'B')
   *
   * Section 5.2.4
   *   B) In this case, both sides may be attempting to start an association
   *      at about the same time but the peer endpoint started its INIT
   *      after responding to the local endpoint's INIT
   */
  /* This case represents an initialization collision.  */

  static enum sctp_disposition sctp_sf_do_dupcook_b(
  					struct net *net,

  					const struct sctp_endpoint *ep,

  					const struct sctp_association *asoc,
  					struct sctp_chunk *chunk,

  					struct sctp_cmd_seq *commands,

  					struct sctp_association *new_asoc)
  {

  	struct sctp_init_chunk *peer_init;

  	struct sctp_chunk *repl;
  
  	/* new_asoc is a brand-new association, so these are not yet
  	 * side effects--it is safe to run them here.
  	 */
  	peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];

  	if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init,

  			       GFP_ATOMIC))
  		goto nomem;

  	if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
  		goto nomem;

  	if (!sctp_auth_chunk_verify(net, chunk, new_asoc))
  		return SCTP_DISPOSITION_DISCARD;

  	/* Update the content of current association.  */
  	sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
  	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
  			SCTP_STATE(SCTP_STATE_ESTABLISHED));

  	SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);

  	sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
  
  	repl = sctp_make_cookie_ack(new_asoc, chunk);
  	if (!repl)
  		goto nomem;
  
  	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));

  
  	/* RFC 2960 5.1 Normal Establishment of an Association
  	 *
  	 * D) IMPLEMENTATION NOTE: An implementation may choose to
  	 * send the Communication Up notification to the SCTP user
  	 * upon reception of a valid COOKIE ECHO chunk.

  	 *
  	 * Sadly, this needs to be implemented as a side-effect, because
  	 * we are not guaranteed to have set the association id of the real
  	 * association and so these notifications need to be delayed until
  	 * the association id is allocated.

  	 */

  	sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_CHANGE, SCTP_U8(SCTP_COMM_UP));

  
  	/* Sockets API Draft Section 5.3.1.6

  	 * When a peer sends a Adaptation Layer Indication parameter , SCTP

  	 * delivers this notification to inform the application that of the

  	 * peers requested adaptation layer.

  	 *
  	 * This also needs to be done as a side effect for the same reason as
  	 * above.

  	 */

  	if (asoc->peer.adaptation_ind)
  		sctp_add_cmd_sf(commands, SCTP_CMD_ADAPTATION_IND, SCTP_NULL());

  	if (!asoc->peer.auth_capable)
  		sctp_add_cmd_sf(commands, SCTP_CMD_PEER_NO_AUTH, SCTP_NULL());

  	return SCTP_DISPOSITION_CONSUME;

  nomem:
  	return SCTP_DISPOSITION_NOMEM;
  }
  
  /* Unexpected COOKIE-ECHO handler for setup collision (Table 2, action 'C')
   *
   * Section 5.2.4
   *  C) In this case, the local endpoint's cookie has arrived late.
   *     Before it arrived, the local endpoint sent an INIT and received an
   *     INIT-ACK and finally sent a COOKIE ECHO with the peer's same tag
   *     but a new tag of its own.
   */
  /* This case represents an initialization collision.  */

  static enum sctp_disposition sctp_sf_do_dupcook_c(
  					struct net *net,

  					const struct sctp_endpoint *ep,

  					const struct sctp_association *asoc,
  					struct sctp_chunk *chunk,

  					struct sctp_cmd_seq *commands,

  					struct sctp_association *new_asoc)
  {
  	/* The cookie should be silently discarded.
  	 * The endpoint SHOULD NOT change states and should leave
  	 * any timers running.
  	 */
  	return SCTP_DISPOSITION_DISCARD;
  }
  
  /* Unexpected COOKIE-ECHO handler lost chunk (Table 2, action 'D')
   *
   * Section 5.2.4
   *
   * D) When both local and remote tags match the endpoint should always
   *    enter the ESTABLISHED state, if it has not already done so.
   */
  /* This case represents an initialization collision.  */

  static enum sctp_disposition sctp_sf_do_dupcook_d(
  					struct net *net,

  					const struct sctp_endpoint *ep,

  					const struct sctp_association *asoc,
  					struct sctp_chunk *chunk,

  					struct sctp_cmd_seq *commands,

  					struct sctp_association *new_asoc)
  {

  	struct sctp_ulpevent *ev = NULL, *ai_ev = NULL, *auth_ev = NULL;

  	struct sctp_chunk *repl;
  
  	/* Clarification from Implementor's Guide:
  	 * D) When both local and remote tags match the endpoint should

  	 * enter the ESTABLISHED state, if it is in the COOKIE-ECHOED state.
  	 * It should stop any cookie timer that may be running and send
  	 * a COOKIE ACK.

  	 */

  	if (!sctp_auth_chunk_verify(net, chunk, asoc))
  		return SCTP_DISPOSITION_DISCARD;

  	/* Don't accidentally move back into established state. */
  	if (asoc->state < SCTP_STATE_ESTABLISHED) {
  		sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
  				SCTP_TO(SCTP_EVENT_TIMEOUT_T1_COOKIE));
  		sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
  				SCTP_STATE(SCTP_STATE_ESTABLISHED));

  		SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);

  		sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START,
  				SCTP_NULL());
  
  		/* RFC 2960 5.1 Normal Establishment of an Association
  		 *
  		 * D) IMPLEMENTATION NOTE: An implementation may choose
  		 * to send the Communication Up notification to the
  		 * SCTP user upon reception of a valid COOKIE
  		 * ECHO chunk.
  		 */

  		ev = sctp_ulpevent_make_assoc_change(asoc, 0,

  					     SCTP_COMM_UP, 0,

  					     asoc->c.sinit_num_ostreams,
  					     asoc->c.sinit_max_instreams,

  					     NULL, GFP_ATOMIC);

  		if (!ev)
  			goto nomem;

  
  		/* Sockets API Draft Section 5.3.1.6

  		 * When a peer sends a Adaptation Layer Indication parameter,

  		 * SCTP delivers this notification to inform the application

  		 * that of the peers requested adaptation layer.

  		 */

  		if (asoc->peer.adaptation_ind) {
  			ai_ev = sctp_ulpevent_make_adaptation_indication(asoc,

  								 GFP_ATOMIC);

  			if (!ai_ev)

  				goto nomem;

  		}

  
  		if (!asoc->peer.auth_capable) {
  			auth_ev = sctp_ulpevent_make_authkey(asoc, 0,
  							     SCTP_AUTH_NO_AUTH,
  							     GFP_ATOMIC);
  			if (!auth_ev)
  				goto nomem;
  		}

  	}

  	repl = sctp_make_cookie_ack(asoc, chunk);

  	if (!repl)
  		goto nomem;

  	sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));

  	if (ev)
  		sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
  				SCTP_ULPEVENT(ev));
  	if (ai_ev)
  		sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
  					SCTP_ULPEVENT(ai_ev));

  	if (auth_ev)
  		sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP,
  				SCTP_ULPEVENT(auth_ev));

  	return SCTP_DISPOSITION_CONSUME;
  
  nomem:

  	if (auth_ev)
  		sctp_ulpevent_free(auth_ev);

  	if (ai_ev)
  		sctp_ulpevent_free(ai_ev);

  	if (ev)
  		sctp_ulpevent_free(ev);
  	return SCTP_DISPOSITION_NOMEM;
  }
  
  /*
   * Handle a duplicate COOKIE-ECHO.  This usually means a cookie-carrying
   * chunk was retransmitted and then delayed in the network.
   *
   * Section: 5.2.4 Handle a COOKIE ECHO when a TCB exists
   *
   * Verification Tag: None.  Do cookie validation.
   *
   * Inputs
   * (endpoint, asoc, chunk)
   *
   * Outputs
   * (asoc, reply_msg, msg_up, timers, counters)
   *
   * The return value is the disposition of the chunk.
   */

  enum sctp_disposition sctp_sf_do_5_2_4_dupcook(
  					struct net *net,

  					const struct sctp_endpoint *ep,

  					const struct sctp_association *asoc,

  					const union sctp_subtype type,

  					void *arg,

  					struct sctp_cmd_seq *commands)

  {

  	struct sctp_association *new_asoc;

  	struct sctp_chunk *chunk = arg;
  	enum sctp_disposition retval;
  	struct sctp_chunk *err_chk_p;

  	int error = 0;
  	char action;

  
  	/* Make sure that the chunk has a valid length from the protocol
  	 * perspective.  In this case check to make sure we have at least
  	 * enough for the chunk header.  Cookie length verification is
  	 * done later.
  	 */

  	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))

  		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,

  						  commands);
  
  	/* "Decode" the chunk.  We have no optional parameters so we
  	 * are in good shape.
  	 */

  	chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data;

  	if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -

  					sizeof(struct sctp_chunkhdr)))

  		goto nomem;

  
  	/* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie
  	 * of a duplicate COOKIE ECHO match the Verification Tags of the
  	 * current association, consider the State Cookie valid even if
  	 * the lifespan is exceeded.
  	 */
  	new_asoc = sctp_unpack_cookie(ep, asoc, chunk, GFP_ATOMIC, &error,
  				      &err_chk_p);
  
  	/* FIXME:
  	 * If the re-build failed, what is the proper error path
  	 * from here?
  	 *
  	 * [We should abort the association. --piggy]
  	 */
  	if (!new_asoc) {
  		/* FIXME: Several errors are possible.  A bad cookie should
  		 * be silently discarded, but think about logging it too.
  		 */
  		switch (error) {
  		case -SCTP_IERROR_NOMEM:
  			goto nomem;
  
  		case -SCTP_IERROR_STALE_COOKIE:

  			sctp_send_stale_cookie_err(net, ep, asoc, chunk, commands,

  						   err_chk_p);

  			return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);

  		case -SCTP_IERROR_BAD_SIG:
  		default:

  			return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);

  		}

  	}

  	/* Update socket peer label if first association. */
  	if (security_sctp_assoc_request((struct sctp_endpoint *)ep,

  					chunk->skb)) {
  		sctp_association_free(new_asoc);

  		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);

  	}

  	/* Set temp so that it won't be added into hashtable */
  	new_asoc->temp = 1;

  	/* Compare the tie_tag in cookie with the verification tag of
  	 * current association.
  	 */
  	action = sctp_tietags_compare(new_asoc, asoc);
  
  	switch (action) {
  	case 'A': /* Association restart. */

  		retval = sctp_sf_do_dupcook_a(net, ep, asoc, chunk, commands,

  					      new_asoc);
  		break;
  
  	case 'B': /* Collision case B. */

  		retval = sctp_sf_do_dupcook_b(net, ep, asoc, chunk, commands,

  					      new_asoc);
  		break;
  
  	case 'C': /* Collision case C. */

  		retval = sctp_sf_do_dupcook_c(net, ep, asoc, chunk, commands,

  					      new_asoc);
  		break;
  
  	case 'D': /* Collision case D. */